Insecure Randomness for the useof Math.random() in redrawBarForSubchart, redrawLineForSubchart and redrawAreaForSubchart(security vulnerability)

[shubhamvinayak]

• C3 version: v7.0.0
• D3 version: v5.0.0
• Browser: Chrome
• OS: Windows

Since Math.random could potentially return the same value twice and it is not cryptographically secure causing the insecure randomness when we scan the code in the fortify tool.

Please confirm if there is any future plan to remove Math.random and use cryptographically secure code for getting random values.
just by using crypto API

const myArray = new Uint32Array(10);
crypto.getRandomValues(myArray);

1. redrawBarForSubchart: https://github.com/c3js/c3/blob/master/c3.esm.js#L12493
2. redrawLineForSubchart: https://github.com/c3js/c3/blob/master/c3.esm.js#L12526
3. redrawAreaForSubchart: https://github.com/c3js/c3/blob/master/c3.esm.js#L12562

[kondalraodurgam]

Facing same issue +1

[netil]

For those who are interested on, it has been applied to billboard.js

• refactor(util): remove the use of Math.random() naver/billboard.js#3099